The Role of the Vulnerability Audit in Crisis Prevention

By Jonathan Bernstein
As Written for Arizona Attorney

A severely neglected aspect of crisis communications is crisis prevention. Prior to suffering their first major crisis, few organizations invest the time necessary to take a hard look at their own vulnerabilities except in the context of legally required risk management.

A vulnerability audit is a thorough self-inspection designed to identify potential crises before they occur and pave the way for creation of a crisis communications plan which will allow an organization to avoid, or at least minimize, the negative impact of such crises.

This is done by:

    1. Collecting data from people in key information flow positions. Senior executives are not always aware of all of the circumstances which can lead to the birth of a crisis. Hence, interviews are conducted with both white- and blue-collar personnel at various echelons of the company, typically a minimum of 20 interviews. Multi-location businesses usually require interviews with remote location personnel who have insights specific to their area.
    2. These interviews are conducted on an extremely confidential basis. Ideally, interviewees are told that the firm’s senior management will not, under any circumstances, be told “who said what.” Information gleaned during the interview process includes (1) potentially harmful trends (facts or perceptions reported by multiple sources); (2) significant inconsistencies between answers from different subjects; (3) non-verbal cues that there may be something amiss in certain areas, which then prompts further questioning; and, (4) consensus opinion regarding the probability of certain types of crises.
    3. Looking for operational and communications weaknesses which could cause or contribute to a crisis.An employee who’s a “loose cannon” is a more obvious potential source of problems, even if he/she is well-intentioned, but there are less obvious issues revealed through the vulnerability audit process. For example, one past client relied on a single fax machine for incoming and outgoing faxes from its headquarters offices during a crisis, which tremendously delayed communication with a number of important audiences. The simple addition of fax machines, creation of broadcast fax/email lists and similar tactics can often greatly improve crisis response.
    4. Anticipating actual crisis scenarios. Every organization is vulnerable to certain types of crises inherent in the nature of its business, plus others inherent, perhaps, in the nature of its particular style of operating. Additionally, the vulnerability audit has been known to reveal “skeletons” of which senior management may not have been aware.
    5. Reporting results. The conclusions from the vulnerability audit are then analyzed and presented both as a in-person briefing and in writing as follows:
      1. Recommendations for systems revisions: If there are changes (such as the aforementioned addition of fax machines) which can optimize crisis prevention and response, they are recommended.
      2. Discussion of scenarios most likely to affect the client company: The audit will lead to a list of “most likely” scenarios with which the client company may deal in the future. At the in-person presentation of audit results, that list is finalized (which often results in deletion or addition of some scenarios) and then the management team brainstorms both general and audience-specific key messages for each scenario.

The information collected during the vulnerability audit process is used as the basis for writing a manual which will guide the entire organization in the communications aspects of responding to crisis situations, to include clear delineation of individual responsibilities and draft responses which reflect the company’s values while considering the public’s sensitivities and need to know.

The bottom line results include:

  • Crises prevented before they happen
  • Response time for crisis response dramatically enhanced
  • Operational weaknesses corrected
  • Cost of crises reduced

One would think that, given those benefits, this would be an automatic part of the business planning process. Perhaps one day it will be but, for now, less than five percent of businesses I’ve encountered have undergone the crisis vulnerability audit and crisis plan creation process. More common is the purchase and adaptation of an “off the shelf” crisis plan. How good are they? Well, would you run your business on an off-the-shelf business plan?


Interested on talking to a crisis management expert now? Click this link for ways to get in touch!

Leave a Reply